Conflicting Laws In Determining If IP Addresses Can Identify You

Online behavioral advertising is supposed to match our search queries with products that advertisers think we would be interested in buying. However, if most people were told that their search habits were being monitored for advertising purposes (or so they would say), and then sold to the highest bidder without our knowledge or consent (I mean really how many people read their EULA’s), does that sort of business practice constitute, at the very minimum, an unfair and deceptive trade practice? Is it ethical? An invasion of privacy?

As co-chair of the Washington Technology Industry Association’s (WTIA), Security Special Interest Group (SIG), we posed this question to a panel of experts whose opinions on this topic were diverse and opinionated. In a prior blog entry, I wrote about how The New York Times newspaper was able to track down an unidentified AOL user simply by examining the search queries she entered on AOL’s search engine. The federal court’s have now spoken on this matter, and the results are as expected – by ruling on whether IP addresses are personally identifiable information, the court conveniently "punted" the issue away. U.S. District Court for the Western District of Washington, Judge Richard Jones, in Johnson v. Microsoft, stated that "[b]ecause the EULA [End-User License Agreement] does not incorporate the web glossary by reference, and there is no evidence that any of the Plaintiff’s even read the glossary, the court finds that the web glossary is not helpful to construing the provision…[A]n IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider’s subscribers. Thus, because an IP address is not personally identifiable, Microsoft did not breach the EULA when it collected IP addresses."

With all due respect to Judge Jones, is that last sentence the best you can do to determine this emering controversial issue. An IP address identifies a computer, sure you have me on that one, but just like in other cases (i.e. how the feds prosecute wire fraud), it can be proven that a specific person used a particular computer. Why not take the logical next step and extend your ruling to the user and not stop at the computer? That folks is a great example of how court’s, and in particular judges, "punt" an issue they don’t want to take on. How then does a company like Microsoft reconcile the fact that in doing business in European Union states, IP addresses are "personally identifiable information"? In some respects, I have to tip my hat to the judge for not creating such a potentially "draconian" standard for personally identifiable information, but as far as I’m concerned, the issue is still unresolved. This is just another example of the disconnect between technology and the law. Many commentators, both legal and technical, see a need for uniformity in cyberspace law, but that is a reality that is not easily reconciled. Judge’s don’t want to rule on the matter, because it will be too draconian and since their experience with a computer is rather limited due to their advancement in age, they are not going to be the one’s to tell businesses what standards of care should be applied to safeguarding people’s identity, and legislator’s are hesitant to expand the definition of personally identifiable information, because they believe it will be too ad hoc.

This leaves businesses with only one REAL solution: risk management and mitigation. For when the day comes that a company will have to defend its business practices in a court (of law or public opinion), damage control will be about all that is expected from them. The more "water" used to put out the fire, the better the chances are that the fire will be put out quickly.